Skip to content
September 19, 2007 / Bob Black

Salted Passwords, and Other Cryptographic Goodness

Thomas Ptacek’s response to Jeff Atwood’s post on storing passwords securely is going in my bookmarks for posterity. This post, actually both posts, should be required reading for anyone building secure web site.

Make that all developers, period. We should all have a basic understanding of how to store passwords securely, and how bad it can be if we don’t.

Some important lessons I learned:

  • Never try to roll your own “cute” security algorithm or whatever. Just use the solutions professional cryptographers have spent their lives perfecting. Your little algorithm may remain uncracked for years, until one day your customers’ credit card numbers (or worse) start showing up on some web site in Bangkok.
  • Always salt stored passwords before hashing to thwart rainbow table crack attacks.

This is good stuff.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: